# HG changeset patch # User Marcin Kuzminski # Date 2019-03-27 11:29:31 # Node ID 4c21f44c223b0eaacb9cddc3d95a8196668e1666 # Parent 8905c773886871707496e8580e67290b71a989f6 auth: reduced usage of raw auth calls inside templates diff --git a/rhodecode/apps/_base/__init__.py b/rhodecode/apps/_base/__init__.py --- a/rhodecode/apps/_base/__init__.py +++ b/rhodecode/apps/_base/__init__.py @@ -168,6 +168,28 @@ class BaseAppView(object): from rhodecode.lib.base import attach_context_attributes attach_context_attributes(c, self.request, self.request.user.user_id) + c.is_super_admin = c.auth_user.is_admin + + c.can_create_repo = c.is_super_admin + c.can_create_repo_group = c.is_super_admin + c.can_create_user_group = c.is_super_admin + + c.is_delegated_admin = False + + if not c.auth_user.is_default: + c.can_create_repo = h.HasPermissionAny('hg.create.repository')( + user=self.request.user) + repositories = c.auth_user.repositories_admin or c.can_create_repo + + c.can_create_repo_group = h.HasPermissionAny('hg.repogroup.create.true')( + user=self.request.user) + repository_groups = c.auth_user.repository_groups_admin or c.can_create_repo_group + + c.can_create_user_group = h.HasPermissionAny('hg.usergroup.create.true')( + user=self.request.user) + user_groups = c.auth_user.user_groups_admin or c.can_create_user_group + # delegated admin can create, or manage some objects + c.is_delegated_admin = repositories or repository_groups or user_groups return c def _get_template_context(self, tmpl_args, **kwargs): diff --git a/rhodecode/apps/admin/views/main_views.py b/rhodecode/apps/admin/views/main_views.py --- a/rhodecode/apps/admin/views/main_views.py +++ b/rhodecode/apps/admin/views/main_views.py @@ -20,12 +20,12 @@ import logging -from pyramid.httpexceptions import HTTPFound +from pyramid.httpexceptions import HTTPFound, HTTPNotFound from pyramid.view import view_config from rhodecode.apps._base import BaseAppView from rhodecode.lib import helpers as h -from rhodecode.lib.auth import (LoginRequired, HasPermissionAllDecorator) +from rhodecode.lib.auth import (LoginRequired, NotAnonymous) from rhodecode.model.db import PullRequest @@ -38,13 +38,17 @@ class AdminMainView(BaseAppView): return c @LoginRequired() - @HasPermissionAllDecorator('hg.admin') + @NotAnonymous() @view_config( route_name='admin_home', request_method='GET', renderer='rhodecode:templates/admin/main.mako') def admin_main(self): c = self.load_default_context() c.active = 'admin' + + if not (c.is_super_admin or c.is_delegated_admin): + raise HTTPNotFound() + return self._get_template_context(c) @LoginRequired() @@ -54,8 +58,7 @@ class AdminMainView(BaseAppView): def pull_requests(self): """ Global redirect for Pull Requests - - :param pull_request_id: id of pull requests in the system + pull_request_id: id of pull requests in the system """ pull_request = PullRequest.get_or_404( diff --git a/rhodecode/lib/auth.py b/rhodecode/lib/auth.py --- a/rhodecode/lib/auth.py +++ b/rhodecode/lib/auth.py @@ -2078,8 +2078,7 @@ class HasRepoPermissionAny(PermsFunction class HasRepoGroupPermissionAny(PermsFunction): def __call__(self, group_name=None, check_location='', user=None): self.repo_group_name = group_name - return super(HasRepoGroupPermissionAny, self).__call__( - check_location, user) + return super(HasRepoGroupPermissionAny, self).__call__(check_location, user) def check_permissions(self, user): perms = user.permissions @@ -2095,8 +2094,7 @@ class HasRepoGroupPermissionAny(PermsFun class HasRepoGroupPermissionAll(PermsFunction): def __call__(self, group_name=None, check_location='', user=None): self.repo_group_name = group_name - return super(HasRepoGroupPermissionAll, self).__call__( - check_location, user) + return super(HasRepoGroupPermissionAll, self).__call__(check_location, user) def check_permissions(self, user): perms = user.permissions @@ -2112,8 +2110,7 @@ class HasRepoGroupPermissionAll(PermsFun class HasUserGroupPermissionAny(PermsFunction): def __call__(self, user_group_name=None, check_location='', user=None): self.user_group_name = user_group_name - return super(HasUserGroupPermissionAny, self).__call__( - check_location, user) + return super(HasUserGroupPermissionAny, self).__call__(check_location, user) def check_permissions(self, user): perms = user.permissions @@ -2129,8 +2126,7 @@ class HasUserGroupPermissionAny(PermsFun class HasUserGroupPermissionAll(PermsFunction): def __call__(self, user_group_name=None, check_location='', user=None): self.user_group_name = user_group_name - return super(HasUserGroupPermissionAll, self).__call__( - check_location, user) + return super(HasUserGroupPermissionAll, self).__call__(check_location, user) def check_permissions(self, user): perms = user.permissions diff --git a/rhodecode/lib/base.py b/rhodecode/lib/base.py --- a/rhodecode/lib/base.py +++ b/rhodecode/lib/base.py @@ -288,7 +288,6 @@ def attach_context_attributes(context, r """ config = request.registry.settings - rc_config = SettingsModel().get_all_settings(cache=True) context.rhodecode_version = rhodecode.__version__ diff --git a/rhodecode/templates/admin/gists/index.mako b/rhodecode/templates/admin/gists/index.mako --- a/rhodecode/templates/admin/gists/index.mako +++ b/rhodecode/templates/admin/gists/index.mako @@ -52,7 +52,7 @@ ##main
- %if h.HasPermissionAny('hg.admin')() or c.gist.gist_owner == c.rhodecode_user.user_id: + %if c.is_super_admin or c.gist.gist_owner == c.rhodecode_user.user_id:
${h.secure_form(h.route_path('gist_delete', gist_id=c.gist.gist_access_id), request=request)} ${h.submit('remove_gist', _('Delete'),class_="btn btn-mini btn-danger",onclick="return confirm('"+_('Confirm to delete this Gist')+"');")} @@ -59,7 +59,7 @@ ## only owner should see that ${_('Copy content')} - %if h.HasPermissionAny('hg.admin')() or c.gist.gist_owner == c.rhodecode_user.user_id: + %if c.is_super_admin or c.gist.gist_owner == c.rhodecode_user.user_id: ${h.link_to(_('Edit'), h.route_path('gist_edit', gist_id=c.gist.gist_access_id), class_="btn btn-mini")} %endif ${h.link_to(_('Show as Raw'), h.route_path('gist_show_formatted', gist_id=c.gist.gist_access_id, revision='tip', format='raw'), class_="btn btn-mini")} diff --git a/rhodecode/templates/admin/main.mako b/rhodecode/templates/admin/main.mako --- a/rhodecode/templates/admin/main.mako +++ b/rhodecode/templates/admin/main.mako @@ -34,16 +34,8 @@
##main -
-
-
    - ${self.side_bar_nav()} -
-
- -
+
${self.main_content()} -
diff --git a/rhodecode/templates/admin/repo_groups/repo_group_edit_permissions.mako b/rhodecode/templates/admin/repo_groups/repo_group_edit_permissions.mako --- a/rhodecode/templates/admin/repo_groups/repo_group_edit_permissions.mako +++ b/rhodecode/templates/admin/repo_groups/repo_group_edit_permissions.mako @@ -141,7 +141,7 @@ ${h.radio('g_perm_%s' % _user_group.users_group_id,'group.admin', checked=_user_group.permission=='group.admin')} - %if h.HasPermissionAny('hg.admin')(): + %if c.is_super_admin: ${_user_group.users_group_name} diff --git a/rhodecode/templates/admin/repo_groups/repo_groups.mako b/rhodecode/templates/admin/repo_groups/repo_groups.mako --- a/rhodecode/templates/admin/repo_groups/repo_groups.mako +++ b/rhodecode/templates/admin/repo_groups/repo_groups.mako @@ -26,7 +26,7 @@
    - %if h.HasPermissionAny('hg.admin','hg.repogroup.create.true')(): + %if c.can_create_repo_group:
  • ${_(u'Add Repository Group')}
    • diff --git a/rhodecode/templates/admin/repos/repo_edit_permissions.mako b/rhodecode/templates/admin/repos/repo_edit_permissions.mako --- a/rhodecode/templates/admin/repos/repo_edit_permissions.mako +++ b/rhodecode/templates/admin/repos/repo_edit_permissions.mako @@ -136,7 +136,7 @@ ${h.radio('g_perm_%s' % _user_group.users_group_id,'repository.admin', checked=_user_group.permission=='repository.admin')} - %if h.HasPermissionAny('hg.admin')(): + %if c.is_super_admin: ${_user_group.users_group_name} diff --git a/rhodecode/templates/admin/repos/repos.mako b/rhodecode/templates/admin/repos/repos.mako --- a/rhodecode/templates/admin/repos/repos.mako +++ b/rhodecode/templates/admin/repos/repos.mako @@ -25,7 +25,7 @@
      - %if h.HasPermissionAny('hg.admin','hg.create.repository')(): + %if c.can_create_repo:
    • ${_(u'Add Repository')}
      • diff --git a/rhodecode/templates/admin/user_groups/user_group_edit_perms.mako b/rhodecode/templates/admin/user_groups/user_group_edit_perms.mako --- a/rhodecode/templates/admin/user_groups/user_group_edit_perms.mako +++ b/rhodecode/templates/admin/user_groups/user_group_edit_perms.mako @@ -143,7 +143,7 @@ ${h.radio('g_perm_%s' % _user_group.users_group_id,'usergroup.admin')} - %if h.HasPermissionAny('hg.admin')(): + %if c.is_super_admin: ${_user_group.users_group_name} diff --git a/rhodecode/templates/admin/user_groups/user_groups.mako b/rhodecode/templates/admin/user_groups/user_groups.mako --- a/rhodecode/templates/admin/user_groups/user_groups.mako +++ b/rhodecode/templates/admin/user_groups/user_groups.mako @@ -26,7 +26,7 @@
        - %if h.HasPermissionAny('hg.admin', 'hg.usergroup.create.true')(): + %if c.can_create_user_group:
      • ${_(u'Add User Group')}
        • diff --git a/rhodecode/templates/base/base.mako b/rhodecode/templates/base/base.mako --- a/rhodecode/templates/base/base.mako +++ b/rhodecode/templates/base/base.mako @@ -76,12 +76,6 @@ <%def name="admin_menu(active=None)"> <% - is_super_admin = c.rhodecode_user.is_admin - repositories=c.rhodecode_user.repositories_admin - repository_groups=c.rhodecode_user.repository_groups_admin - user_groups=c.rhodecode_user.user_groups_admin or h.HasPermissionAny('hg.usergroup.create.true')() - is_delegated_admin = repositories or repository_groups or user_groups - def is_active(selected): if selected == active: return "active" @@ -104,7 +98,7 @@